fix: resolve remaining critical security issues

Critical security fixes:
1. API key no longer passed in process arguments (update-exa-mcp.sh)
   - Changed from command line argument to environment variable
   - Prevents exposure via ps/process lists

2. Removed hardcoded user path (setup-claude-code-mcp.sh)
   - Changed /Users/mojwang to $HOME for portability
   - Supports all users, not just hardcoded username

These changes ensure:
- API keys are not visible in process lists
- Scripts work for any user without modification
- Better security posture overall

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

Author: mojwang

scripts/setup-claude-code-mcp.sh

@@ -49,7 +49,7 @@ add_claude_code_server() {
     case "$server_type" in
         "node")
             if [[ "$server_name" == "filesystem" ]]; then
-                claude mcp add "$server_name" -s "$scope" node "$server_path" "/Users/mojwang"
+                claude mcp add "$server_name" -s "$scope" node "$server_path" "$HOME"
             elif [[ -n "$api_key_var" ]]; then
                 claude mcp add "$server_name" -s "$scope" node "$server_path" --env "${api_key_var}=${!api_key_var}"
             else

scripts/update-exa-mcp.sh

@@ -26,9 +26,10 @@ import sys
 import os
 import subprocess
 
-api_key = sys.argv[1] if len(sys.argv) > 1 else None
+# Get API key from environment variable for security
+api_key = os.environ.get('EXA_API_KEY')
 if not api_key:
-    print("Error: No API key provided")
+    print("Error: No API key provided (set EXA_API_KEY environment variable)")
     sys.exit(1)
 
 # Get current settings
@@ -79,8 +80,8 @@ else:
     print("Successfully updated Exa MCP configuration!")
 EOF
 
-    # Run the Python script
-    python3 /tmp/update_exa_mcp.py "$api_key"
+    # Run the Python script with API key via environment variable
+    EXA_API_KEY="$api_key" python3 /tmp/update_exa_mcp.py
 
     # Clean up
     rm -f /tmp/update_exa_mcp.py